No holds barred? EU Data Retention Directive declared invalid by the Court of Justice
09 April 2014
by Jevan Neilan, Associate
The Court of Justice of the European Union (the “Court”), in response to questions submitted from Austria and Ireland, has found the European Data Retention Directive to be invalid. The decision comes a number of months after a similar Opinion by the Advocate General, an influential yet independent adviser to the Court. Both the Advocate General and the Court considered the Directive to be incompatible with the EU Charter of Fundamental Rights. In particular, the Court found the Directive posed a serious interference with the rights to respect for private life and to the protection of personal data.
How did the decision come about?
European law permits national courts to submit questions to the Court on the interpretation of EU legislation. The Irish High Court referred questions from a case taken by Digital Rights Ireland, an organisation dedicated to defending civil, human and legal rights in a digital context.
The questions concerned the validity of the 2006 Data Retention Directive, which obliged Member States to introduce laws compelling the storage of telecommunications data. The Directive required the collection and retention of traffic and location data by companies such as mobile and broadband providers for a period of up to two years. However, content data, including email or SMS content, did not need to be retained.
What did the Court decide?
The Court indicated that the retention of such a broad range of data provided an opportunity to construct a picture of a person’s private life. This meant that information of someone’s habits, activities, daily movements or social relationships could be assembled. As a result, the Court found the Directive incompatible with the fundamental right to privacy.
The Court turned to consider whether there was any justification for the interference with these rights. While the Directive aimed to tackle an important issue – the fight against serious crime – the Court considered that European lawmakers had gone beyond what was proportionate.
A number of issues were highlighted by the Court. The Directive did not limit the restriction of privacy rights to what was strictly necessary. Instead, it was broad and far-reaching, and did not specify or limit categories of individuals, methods of communication or the types of traffic data that were collected. The term ‘serious crime’ was also left to Member States to define, resulting in varying descriptions at national level.
There was a notable absence of specific procedures or sufficient restrictions for access to and use of the data by national authorities. Similarly, there were no principles set out in the Directive to determine appropriate periods for retention. Finally, the Court drew attention to the risk of abuse or unauthorised access due to the lack of guidelines on data security and deletion measures.
What effect will this have?
The ruling will have a notable impact on the outcomes of the Austrian and Irish cases. The decision fundamentally calls into question the status of legislation, such as Ireland’s Communications (Retention of Data) Act 2011, introduced on foot of the Directive.
The judgment demonstrates the Court’s willingness to invoke the Charter of Fundamental Rights in reviewing and invalidating European legislation and shows a robust interpretation of the right to privacy and data protection. The decision appears to show the Court’s concern about the blanket collection and retention of data in the absence of sufficient safeguards and harmonised and proportionate boundaries. This was reflected in the Court’s willingness to invalidate EU laws based on a finding that these laws are, in substance, a disproportionate infringement of fundamental rights contained in the Charter. However, while seeking to balance competing rights and interests, the Court does not appear to have adopted an overly restrictive approach to data protection.